Most iPhone banking apps vulnerable to hacking

Man-in-the-middle attacks threaten users on public networks

A report from security assessment firm IOActive suggests that most mobile banking apps for iPhone and iPad are full of flaws.

IOActive researcher Ariel Sanchez recently studied the security features of 40 mobile banking apps for iOS, including the apps used by some of the world's leading financial institutions.

All of the apps that Sanchez tested could be installed and run on jailbroken devices, which have been modified by the user to accept apps unauthorized by Apple. Running an app on a jailbroken device lets attackers circumvent the security features built into iOS and access the restricted resources of other apps on a user's device.

In an IOActive blog post outlining his research, Sanchez noted that 40 per cent of the apps tested had compromised transport mechanisms and 90 per cent had non-SSL links. This leaves app users susceptible to 'man-in-the-middle' attacks. In such attacks, users may be redirected to malicious sites where their login information can be stolen.

Attacks at the coffee shop?

These attacks are more likely to happen on untrusted networks like WiFi hotspots, which makes mobile banking from public locations like coffee shops less of a convenience and more of a nightmare waiting to happen.

In his blog post, Sanchez notes that phishing attacks that utilize cross-site scripting have become very popular lately, often resulting in the theft of a victim's login credentials. In a typical attack, the user might be asked to re-enter his or her username and password "because the online banking session has expired." Such an attack can give cybercriminals full access to a customer's bank accounts.

Sanchez offered some recommendations for developers of mobile banking apps to consider in the future. These include tightening the security of transfer protocols for all connections made, enforcing SSL certificate checks by the client application, encrypting data using iOS's own data protection and removing all development code from the released application.